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The goal of this paper is to introduce ideas and methodology of the generic case 
complexity to cryptography community. This relatively new approach allows one to 
^■y^ ■ analyze the behavior of an algorithm on "most" inputs in a simple and intuitive fashion 

which has some practical advantages over classical methods based on averaging. 

We present an alternative definition of one-way function using the concepts of 
generic case complexity and show its equivalence to the standard definition. In addition 
we demonstrate the convenience of the new approach by giving a short proof that 
extending adversaries to a larger class of partial algorithms with errors does not change 
. the strength of the security assumption. 



1 Introduction 



J> ' Generic case complexity has originated about a decade ago in combinatorial group theory 

. \10\ [2]. This area has long computational traditions with many fundamental problems 

I being algorithmic in nature. It has been shown that most computational problems in 

' infinite group theory are recursively undecidable. However, it was also observed that 

■ decision algorithms, sometimes very naive ones, exist for many inputs even if a problem is 

, undecidable in general. 

00 

Q I Generic complexity was suggested as a way of analyzing the behavior of undecidable 

problems. The main question was to describe the complexity of a problem on a generic 
input or on a set which contains most of the inputs. The idea was to separate sets of 
^ I inputs where algorithms work from the "bad" ones. It happened that quite often inputs 

' on which algorithms fail to provide an answer are small. 

In computer science, around 1980s, the same kind of arguments preceded the develop- 
ment of the average case complexity. More recently, heuristic classes of algorithms were 
introduced [l]. 

Advocates of generic complexity approach argue (see discussions in [5]) that it is sim- 
pler, intuitive and more general then the average case complexity. The connection between 
the two areas has been studied and it is known that there are problems which are hard on 
average, but generically easy. It turns out however, that if an algorithm is easy on average 
it is also easy generically. 

The relation between generic complexity and heuristic complexity is less explored. 
It was shown [5] that the class of generic algorithms and errorless heuristic algorithms 
are equivalent. It seems that generic complexity has some advantage as the area has 
significantly progressed in recent years. For example the completeness theory for generic 
complexity has been developed. 

Here we list some results in generic complexity. As we mentioned above, the founda- 
tions were built in group theory. In particular it has been shown that the famous word 
and conjugacy problems in finitely presented groups can be decided in linear time on a 
generic set of inputs, although these problems are undecidable in general |10j . 



In the scope of the classical complexity results, the most important is the existence of 
polynomial reductions for generic complexity. Using these reductions it has been shown 
that there exist generically NP-complete problems, for example bounded versions of the 
halting and Post correspondence problems are generically NP-complete [5]. Another inter- 
esting result shows that the halting problem for a model of a Turing machine with one-way 
infinite tape is linearly decidable on a generic set of inputs [9]. It is not known whether 
the result holds for an arbitrary Turing machine, but it was shown that the set on which 
the problems is decidable cannot be strongly generic [13]. 

In [11] authors describe a particular procedure which allows one given an undecidable 
problem to construct a problem undecidable on every generic set of inputs. This generic 
amplification shows that generically hard (undecidable) problems exist. 

It was also suggested that generic complexity might be useful for cryptographic applica- 
tions, particularly for testing security assumptions of cryptographic primitives. Intuitively, 
we would like a cryptographic primitive to be hard to break on most inputs which seems 
like a straightforward application of the ideas of generic complexity. The main goal of 
this paper is to introduce ideas and methodology of generic complexity to cryptography 
community. We present alternative definitions of one-way functions based on the concept 
of generic complexity. 

These new definitions allow one to consider, in a natural way, one-way function can- 
didates coming from undecidable problems. We show that any such "generic" one-way 
function can be used to produce a classical one. Therefore, any new generic one-way func- 
tion comes along with new classical one. Furthermore, to our opinion these new definitions 
are more intuitive and are easier to work with. Indeed, the new security assumption is 
just a more precise formalization of the original notion, due to Diffie and Hellman [3], 
in a sense, it separates the probability on the inputs from the probability on the oracle 
choices - which makes considerations easier. As an illustration, we give a short proof that 
extending adversaries to a larger class of partial algorithms with errors does not change 
the strength of the security assumption. 

In the subsequent paper we are going to discuss some potential generic one-way func- 
tions that are related to undecidable problems in algebra. 

1.1 Generic complexity notations 

In this section we give a brief overview of the basic notions and definitions used in generic 
complexity. For more detailed introduction to the subject and latest results we refer to 

m- 

Let I be a set of inputs. In this paper we consider traditional binary representation of 
inputs and set / = {0, 1}*. With each input we associate a size function | • | : / — > N which 
is the length of a string from /. 

First we define a stratification of inputs. In general a stratification of the set / is an 
ascending sequence of subsets whose union is equal to /. In the paper we will use the 
spherical stratification on strings which we define next. 

Definition 1.1 (Spherical Stratification). Let / = {0, 1}* be a set of inputs. Define a 
sphere of radius n by 

In = {x \ X ^ I , \x\ = n} . 
Then the sequence Iq, Ii, I2, ■ ■ ■ is a spherical stratification of /. 
Note that sets /j are finite and U^q/j = /. 



There are other commonly used stratifications available. For example one can stratify 
set / using balls Bn of inputs of radius n, where i?„ is a set of inputs with lengths at most 
n. 

Definition 1.2. Let / = {0, 1}* and /„ C / be a sphere of radius n. Let fin be a probability 
distribution on the sphere The collection {/iQ, /^i, /U2, • • •} of all distributions is called 
an ensemble of spherical distributions over I and denoted by {/^n}- 

In the paper we will be mostly concerned with the ensemble of uniform spherical 
distributions {un} over /. For a set i? C / we define 

Un{R) = I I , 

where l-'^l is the cardinality of a set X. 

Next we define an asymptotic density of a set in I. 

Definition 1.3 (Asymptotic Density). Let /x = {/i„,} be an ensemble of spherical distri- 
butions over a set I. A set of inputs R Q I is said to have asymptotic density p{R) = a 
if 

lim UniR n In) = a- 

n— »oo 

A set R is called generic with respect to if its asymptotic density is 1 and it is called 
negligible if the asymptotic density is 0. 

Definition 1.4. Let R I and the asymptotic density p{R) exists. The function 

Snin) = pn{R^In) 

is called the density function for R. 

A practical measure of the "largeness" of a set often corresponds to a rate with which 
the limit in Definition 11.31 converges. The convergence can be naturally described by 
obtaining upper bounds on the density function of a set. One particular type of sets of 
interest are sets which have superpolynomial convergence rates. 

Definition 1.5. Let R Q I and (5/j(n) is the density function of R. We say that R has 
asymptotic density p{R) with superpolynomial convergence if 

\p{R) - SR{n)\ < ^ 
p[n) 

for every polynomial p{n) and all sufficiently large n. 

Definition 1.6 (Strongly Generic/Negligible). A generic set with superpolynomial con- 
vergence is called strongly generic and its complement is called a strongly negligible set. 

1.2 One- Way functions 

Existence of one-way functions is one of the most basic and important assumptions in 
cryptography. In fact existence of one-way functions is a minimal assumption required 
for constructing other cryptographic primitives such as pseudorandom number generators, 
encryption and signature schemes. 

Diffie and Hellman [1] define one-way functions: 



"a function / is a one-way function if, for any argument x in the domain of /, 
it is easy to compute the corresponding value f{x), yet, for almost all y in the 
range of /, it is computationally infeasible to solve the equation y = f{x) for 
any suitable argument x." 

There are two key points in the definition above: "for almost all" and "computationally 
infeasible" . A lot of attention is still concentrated on the development and understanding 
of these two notions and their consequences from the practical point of view. 

It is well accepted now that one-way functions cannot be defined using deterministic 
worst-case complexity classes like P and NP, and randomized computation is the default 
model for cryptographic purposes. 

A common argument for the necessary conditions for one-way functions to exist pro- 
ceeds as follows [3]. Suppose we have a cryptographic scheme. Legitimate parties should 
be able to decode the secret efficiently, which means that there exist a polynomial-time 
verifiable witness to the decoding and the problem of breaking a cryptographic scheme is 
in NP. For a cryptographic scheme to be considered secure there should be no practical 
algorithm to break the encryption. Therefore, if a secure cryptographic scheme exists then 
NP 2 BPP. Whether BPP contains NP is an open problem. Note that NP ^ BPP 
imphes that P 7^ NP. 

The NP ^ BPP condition is a necessary, but not sufficient condition for a secure 
cryptographic scheme to exist. Observe that the probability distribution in the definition 
of the class BPP is taken over the internal states of a probabilistic machine only. The 
condition which bounds away the probability of an error must hold for all inputs. In this 
sense BPP is analogues to P and is still reflects the behavior of a problem on the worst 
case inputs but with respect to the randomized algorithms. 

The positive answer to the problem NP BPP may have no practical implications 
for cryptography, unless there are problems which belong in NP\BPP and are hard on a 
significantly large fraction of inputs. Speaking in terms of generic complexity, a problem 
may be considered hard if there is no efficient algorithm which solves the problem on any 
but strongly negligible set of inputs. 

In cryptography the existence of many useful primitives like secure symmetric encryp- 
tion, pseudorandom number generators and digital signature schemes is reduced to the 
existence of the one-way functions which we define next. In general there are two notions 
of one-way functions a strong and a weaker one. 

Let Pr^j. denote the probability taken uniformly over all pairs {x, a) In^ S, where 
In is the set of all inputs of length n and S = {0, is the space of internal coin 

flips of a probabilistic algorithm whose running time is bounded by some polynomial t{n). 
Similarly we define Pr^ as the uniform probability taken over S only. 

One of the most commonly accepted definitions of a one-way function (strong one-way 
function) is the following. 

Definition 1.7 (Strong One-Way function [3]). A function / : {0, 1}* {0, 1}* is called 
strongly one-way if the following two conditions hold: 

1. Easy to compute: there exists a deterministic polynomial-time algorithm A' such 
that on an input x algorithm A' outputs f{x); 

2. Hard to invert: For every probabilistic polynomial-time algorithm A, every positive 
polynomial p, and all sufficiently large n: 




1 



where Un is a random variable uniformly distributed over {0, 1}" and the probability 
is taken over all input strings from {0, 1}"" and internal states of A. 

Here and in the rest of the article polynomial-time algorithm means an algorithm that 
always halts after a polynomial (in the length of the input) number of steps. Note that 
in addition to an input in the range of / the algorithm A is given the auxiliary input 
1" which has the same length as the desired output of A. This is done to protect from 
the situations when the function / drastically reduces the length of its input (for example 
|/(x)| = log2(|x|)). Obviously no algorithm can invert such function / in polynomial 
number of steps in terms of 

2 Generic definitions of one-way functions 

2.1 Definition restricted to PPT adversary 

In Definition 1 1 . 71 the performance of an algorithm A is averaged over all inputs which results 
in complicated probability space. We would like to apply ideas of generic complexity and 
consider the performance of an adversary on each input separately. 

Note that a naive random sampling will guess an inverse of a function / on the input 
of length n with probability 1/2"". An algorithm with negligible probability of the correct 
answer cannot be amplified and, therefore, cannot be considered practical. A reasonable 
inversion algorithm should have noticeable probability of success. To be more precise the 
probability that an algorithm A inverts f{x) 

Pr[A(/(x),l")€rH/(x))]>^ 

for any positive constant c. To make a one-way function secure we must limit the number 
of inputs on which adversary succeeds to a small set. We formalize these arguments in the 
following definition of a generically strong one-way function. 

Definition 2.1 (Generically Strong One- Way function). Let u = {un} be an ensemble of 
uniform spherical distributions over {0, 1}*. 

A function / : {0, 1}* {0, 1}* is called generically strong one-way if the following 
two conditions hold: 

1. Easy to compute: there exists a deterministic polynomial-time algorithm A' such 
that on input x algorithm A' outputs /(x); 

2. Hard to invert almost all inputs: For every probabilistic polynomial-time algorithm 
A, all constants c > 0, every positive polynomial p and all sufficiently large n: 

Un [{x G In I Pr[^(/(x), 1") G r\f{x))] > n-'}) < -ly, 

where the probability is taken over internal states of the algorithm A. 

Similarly we can define a generically weak one-way function. 

Definition 2.2 (Generically Weak One-Way function). Let u = {u„} be an ensemble of 
uniform spherical distributions over {0, 1}*. 

A function / : {0, 1}* — s- {0, 1}* is called generically weak one-way if the following two 
conditions hold: 



1. Easy to compute: there exists a deterministic polynomial-time algorithm A' such 
that on input x algorithm A' outputs f{x); 



Hard to invert on a large enough set of inputs: For every probabilistic polynomial- 
time algorithm A, every constant c > there exists a polynomial p{n) such that for 
all sufficiently large n: 



,„ {{x G /„ I Fr[A{f{x), 1") e r\f{x))] < n"^}) > 



1 



p{n) 



where the probability is taken over internal states of the algorithm A. 

The following lemmas show that definitions 12.11 and 1 1 . 71 are equivalent. We give equiv- 
alence results for strong one-way functions. Similar results hold for the weak notion as 
well (see Appendix for the detailed proof). We use standard reduction argument which 
proceeds by showing that if there exists an algorithms which violates the conditions of 
the first definition then we can construct an algorithm which will violate conditions of the 
second one. 

Lemma 2.3. Let f : {0, 1}* — > {0, 1}* and suppose there is a probabilistic polynomial time 
algorithm A such that for some constants c > and d > and infinitely many n 



Ln {{x e In I Pr.[A(/(x), G r\f{m > n-'^}) > 



1 



n 



Then there exists a probabilistic polynomial-time algorithm A' such that for infinitely many 
n 

Pr(,,,)[A'(/(t/„),nG/-i(/(C/,0)]> 



n' 



d+i • 



Proof. First of all observe that since we can compute /, we can also check whether an 
algorithm indeed returns an inverse of f{x) or not. By definition, f"^{y) = {x \ y = /(x)} 
therefore if f{A{f{x))) = f{x) then A{f{x)) is an inverse of f{x). 

Now construct an algorithm A' as follows. Repeat algorithm .A on a given input x 
until a witness for the inverse problem (i.e. the inverse itself) is obtained. Let 

Sn = {x(^In\ Pr.[A(/(x)) G f-\f{x))] > n~^] . 

For the algorithm A' to be practical on the set Sn we need to show that for every x (z Sn 
we can obtain an inverse with high probability using only polynomially many repetitions 
of A, i.e. 

FvM'k{f{^))^rHf{^))]>l-e, (1) 

where k = p{n) and e < ^ for any m > 0. 

Let yi be the output of the ith run of the algorithm A on an input x £ Sn and let 
Xi, i = 1, . . . , k he random variables such that = 1 if yi G f~^{f{x)) and Xj = 
otherwise. Xi are mutually independent and E[Xj] = Pr[Xj = 1] > We also define X° , 
i = 1, . . . , A; to be random variables such that X° = if yj G f~^{f{x)) and X° = 1 if ith 
run of A fails. X° are also mutually independent and E[X°] = 1 — Pr[Xj = 1] > 1 — 

Note for A' to produce an answer only one of yis needs to be a witness, therefore to 
show ([TJ we need to show that 



Pr 



Pr 



y2x^<k-i 



> 1 



which is equivalent to showing 



Pr 

Using Chernoff bound we have 

k 



< e. 



J=i 



Pr 



|:.Y»-*.(i-i)>*...(i-i) 

Ex°>A..(l-l).(i + l) 

i=l ^ ^ 



= Pr 

Substituting 6 = {k — n^)/{k{'rf' — 1)) into ^ we obtain 

k 



(2) 
(3) 



Pr 



J2x!>k-i 



.i=l 



1 f k-n'^ 



2 2k{n'^-iy 



Let k = n^'^, then 



and we have 



Therefore we obtained 



2 2fe(nC-l)^ ^ 2~2("+2) 



Pr 



< 2-5("+2). 



Pr.[^U/(^))ern/(^))]>i-e, 

where e = 2~2("+2). Note that a similar result can be obtained without using the Chernoff 
bound, however, it allows us to obtain a tighter bound on the number of repetitions of the 
algorithm A. 

Taking the sum over cill x G S^^ we obtain 

5] Pr.[^'(/(x)) G rHf{x))] > ^ (1 - = \Sn\{l - e). 



Note that 



Therefore 



It follows 



\S„\ 1 



\In\ n^' 



|Q I > lilil - _ 

Pnl ^ J — J- 



2" 



5^ Pr.[^'(/(x)) G > |5„|(l-e)>-^(l-6 



(4) 



Next we show that Pr(,,,)[^' (/([/„), 1") G /-^(/(^^^n))] > " e- 
Define A'{x,a) = 1 if the computation of A' corresponding to oracle a inverts f{x) 
and A'{x, a) = otherwise. 



Now we have 

P^.,.)[A'{f{Un),in ^ r\fiUn))]= Yl A'{x,a)p{x,a) 

V(x,(t) 

where p{x, a) is the joint probabihty mass function. 

Note that x and a are independent from each other, therefore 

^ A'{x,a)p{x,a) = ^ J2 A' {x , a)p{x)p{a) 

xein (tG{0,1}*(") 



P^A'ifix)) e r\f{x))]. 



2 



From dH) and the equation above we have 



2*^ 

Now let (i' = fi + 1. It is easy to see that l/n'^(l — e) > for n > 2. Therefore we 

have 

□ 

The implication holds in the the opposite direction as well. 

Lemma 2.4. Let f : {0, 1}* {0, 1}* and suppose there is a probabilistic polynomial time 
algorithm A such that for some polynomial p[n) and infinitely many n 

Pr(,,,)[^(/(t/„),l") G r\f{Un))] > 

Then there exists a probabilistic polynomial-time algorithm A' such that for every c > 
and infinitely many n 

Un {{x G /„ I Pr.[A'(/(x)) G f-\f{x))] > n~'}) > 

Proof. First we show that 

n„ {{x G /„ I Pr^[^(/(x)) G f~\f{x))] > l/2p(n)}) > (5) 

The proof follows directly from the following averaging argument: 



Claim 2.5. Let ai, . . . , otv G [0, 1] and p > such that X^i^i CLi > p and let k = i^{ai \ 
Cj > p/2}. Then 

A > ^ 

Observe that 

Pr(,,,)[A(/(c/o,i") e rn/(^n))] = E P^'^ [^(/(^)) e > 

If we set a, = Pr, [A{f{xi)) G /-^(/(x,))], Xi e In, N = 2", p = l/p{n) and A: = 
#{x G /„ I Pi'ct[^(/(2;)) G f~^{f{x))] > l/2p(n)} then it follows from the claim above 
that 

k 1 

> 



2" - 2p{n) 

and 



{{x e In I Piv[^(/(x)) G /-^(/(x))] > l/2p(n)}) > ^ 



2p(n) 

Now observe that for any c > there exists a probabilistic polynomial-time algorithm 
A' such that 

#{x G /„ I Pr,[A'(/(x)) G rHfi^))] > > k. (6) 

Indeed, in the case when n~'^ > 1 /2p[n) the claim follows directly. In the second case when 
n~'^ < l/2p{n) we can use the probabilistic error reduction and construct an algorithm A' 
such that dH) holds. Therefore there exists a polynomial-time algorithm A' such that 



n {{x G /„ I Pr,[^'(/(x)) G rHfix))] > n-^}) > 



2p{n) 

□ 

The following result demonstrates the connection between the security assumption and 
asymptotic properties of the input sets. 

Proposition 2.6. A polynomial-time computable function / : {0, 1}* {0, 1}* is strongly 
one way if and only if every probabilistic polynomial-time algorithm A fails to invert / on 
all but strongly negligible sets of inputs with respect to an ensemble of uniform spherical 
distributions over {0, 1}*. 

Proof. Suppose / is strongly one-way and suppose there exists an algorithm A which 
inverts / on a set S which is not strongly negligible. Then there exists a polynomial pin) 
such that 

Un{{x G In I Pr,[^(/(x)) G r\f{x))] > n-'}) = Un{S n In) = (5.(n) > ^ 



p{n) 



Therefore / is not strongly one-way by Definition 12.11 

Now, suppose / is not one-way. Then there exists an algorithm A such that 

un{{x G /„ I Pr,[^(/(x)) G rHf{x))] > n~'}) > ^ 



p{n) 

for some polynomial p, which contradicts the proposition assumption. 



□ 



2.2 Generic definition with a more general adversary 



The most interesting question is whether the generic approach may give us new, more 
general security assumptions. Note that the polynomial bound on the adversary is not 
necessary. The only condition that a successful adversary needs to satisfy is to have an 
algorithm which terminates in polynomial time and with correct answer on a non-negligible 
set of inputs. Suppose we would like to make a security statement which holds against a 
much stronger adversary, i.e. a partial probabilistic heuristic algorithm which may output 
incorrect answers. Although an adversary algorithm may not terminate on some inputs, 
it would still be a threat if it succeeds on a relatively large set of inputs. 

Definition 2.7 (Partial algorithm with errors). Let / be the set of inputs. We say that 
an algorithm ^ is a partial algorithm with errors if it is correct on a subset X Q I oi 
inputs and on the set I — X it either does not stop or stops with an incorrect answer. 

To make a formal statement we need a notion of achievement ratio of an adversary 
which is similar to the notions given in [UJ [H] . 

Definition 2.8 (Achievement ratio). Let / : {0, 1}* — > {0, 1}* be a function and let A be 
a partial probabilistic algorithm with errors. The achievement ratio of A on an instance 
f{x) is defined as 

T^A,f{x) = TA,f{x)/6Aj{x), 
where T_^j{x) is the time required for A to terminate on the input f{x) and 

Achievement ratio allows one to consider a larger class of algorithms whose running 
time may not be bounded by a polynomial. In order for an adversary to have a polynomial 
achievement ratio on a given input x, it has to have both: the polynomial running time 
and a noticeable probability of inverting f{x). 

The following definition is an attempt to give an intuitive notion of a generalized 
practical security assumption for a one-way function. 

Definition 2.9. Let u = {un} be an ensemble of uniform spherical distributions over 
{0,1}*. 

A function / : {0, 1}* {0, 1}* is called strongly one-way if the following two condi- 
tions hold: 

1. Easy to compute: there exists a deterministic polynomial-time algorithm A' such 
that on input x algorithm A' outputs f{x); 

2. Hard to invert: For every partial probabilistic algorithm with errors A, all constants 
c > 0, every positive polynomial p and all sufficiently large n: 

Un {{X e In I 'RA.fix) < n^}) < 

p[n) 

The question is whether or not this definition gives us any advantage over the definitions 
given earlier. The following argument says that if we allow only a polynomial number of 
steps for an adversary on a success then, in fact, this definition is equivalent to the one 
which is limited to the PPT adversary. 

The main idea is that since the success of an adversary on an input x means that it has 
to terminate in polynomial number of steps, then we do not really care if adversary is a 



partial algorithm or not. If we have a successful partial algorithm then we can construct a 
PPT algorithm by allowing it to run for polynomial number of steps and this polynomial- 
time algorithm will be as successful as the partial one. 

Let GSPPT and GSPART be the classes of one way functions which satisfy conditions 
of Definition 12.11 and Definition 12.91 respectively. 

Proposition 2.10. A function / G GSPPT if and only if / G GSPART. 

Proof. First we show that / G GSPART imphes / G GSPPT. The proof is by 
contradiction. Let / : {0, 1}* {0, 1}* and assume that / G GSPART, but / GSPPT, 
then there exists a PPT algorithm A, a constant c > 0, a polynomial p{n) such that for 
infinitely many n 

1 

Un{{x I dAj{x) > n > —-. 

p[n) 

Note that a PPT algorithm A is also a partial probabilistic algorithm such that 
Taj{x) < q{n), for some positive polynomial q for all x. Therefore, 

Un{{x I Saj{x) > n"''}) 
Un{{x I 6Aj{x)/TAjix) > n~'' /Taj{x)}) 
Un{{x I TA,f{x)/5Aj{x) < n'TAjix)}) 
Uni{x I TIaj{x) < n'^TAjix)}) 
Un{{x I TlAjix) < n"'}) 



> 



> 



> 



> 



> 



1 



p{n) 
1 

p{n) 
1 

p{n) 
1 

p{n) 
1 

pin) ' 



where d is chosen such that n'^ > ^(n) • n'^. This is a contradiction to the condition 
/ G GSPART. 

The proof in the opposite direction uses a similar argument. Suppose that / G GSPPT 
but / ^ GSPART. In other words we suppose there exists a partial probabilistic algorithm 
B such that for some polynomial p{n) and infinitely many n 

Un [{x G /„ I TlBjix) < n"}) > 

pyn) 

Define A to be an algorithm which on a given input x (z In runs B for n'^ steps. 
Let S = {x \ TZbj{x) < n^}. First observe that by the conjecture for all x G S" 

SB,f{x) > — > — . 

Obviously, 5aj{x) = Sbj{x) for all x such that T^ji^x) < n^. Therefore, since 6sj{x) G 
[0, 1] we have 

Saj{x) = 6bj{x) 

for all X such that Tqj{x) < 5bj{x) ■ rf, i.e. for all x G 5. 
Hence we have > ^ for all x G S and 

Un ({x G In I 5aj{x) > n'"}) > Un{S) > 



p{n) 



Therefore, a probabilistic polynomial time algorithm A inverts / on a not strongly 
negligible set which contradicts our assumption that / is one-way with respect to Definition 



□ 



Note that the proof is simple and quite compact. Using the equivalence lemmas | 
and 12.41 we can conclude that the Definition 12.91 is equivalent to Definition 11.71 which is 
based on the averaging argument. It seems that obtaining the same result would be a 
more difficult task when working with the average type definitions directly. 

Similarly one can define a weaker variation of a one-way function with a partial adver- 
sary. 

Definition 2.11. Let u = {n„} be an ensemble of uniform spherical distributions over 
{0,1}*. 

A function / : {0, 1}* {0, 1}* is called weakly one-way if the following two conditions 
hold: 

1. Easy to compute: there exists a deterministic polynomial-time algorithm A' such 
that on input x algorithm A' outputs /(x); 

2. Hard to invert on non-negligible set: For every partial algorithm A and every con- 
stant c > 0, there exists a polynomial p{x) such that for all sufficiently large n 



p{n) 



The equivalence result for weak one-way functions holds as well. Let GWPPT be 
the class of generically weak one-way functions and GWPART be the class of one way 
functions satisfying Definition 12.111 

Proposition 2.12. A function / G GWPPT if and only if / G GWPART. 

Proof. The proof is similar to the proof of Proposition I2.1(JI Suppose that / G 
GWPART but / GWPPT. Then there exists a PPT algorithm B and constant c> 
such that for all polynomials p{n) 

Un{{x I Sbj{x) < n'"}) < 



p{n) 



The probabilistic polynomial time algorithm ;S is a probabilistic partial algorithm such 
that its time Tqj{x) < q{n) for some positive polynomial q and all x. 

Therefore, there exists a probabilistic partial algorithm B such that for all positive 
polynomials p: 



1 



p{n) 



> Un{{x I Si3j{x) < n 

= Un{{x I Tsj{x)6bj{x) < Ti3j{x)n~''}) 

= Un{{x I Ti3j{x)/6bj{x) > Ti3j{x)n''}) 

= Un{{x I Rbj{x) > Ti3j{x)n''}) 

> Un{{x I Rbj{x) > n"*, Vd > 0}) 



Which contradicts the assumption that / E GWPART. 

Now note that if / is not weakly one-way in terms of Definition 12.111 then there exists 
a partial algorithm B such that for some constant c > and every polynomial poly{n) 

Un {{x G In I T^Bj{x) < n^^}) > 1 



poly{n) 

Define a probabilistic polynomial-time algorithm A which runs B for nf^ steps. Using the 
equalities from Proposition 12. lUl we obtain 

Un {{x G In I 5aj{x) > n^"}) > Un {{x G /„ | TZB,f{x) < n'^}) > 1 - p^j^^^y 

Therefore, 

Un {{x G /„ I 6aj{x) < n-'}) < 

for any polynomial poly{n). Therefore, / is not weakly one way with respect to a PPT 
algorithm A. 



□ 



One of the important results about one-way functions is the so-called amplification 
theorem which states that having a weak one-way function we can always construct a 
strong one. Equivalences shown above allow us to make a similar statement for generic 
one-way function. 

Theorem 2.13 (Amplification). Generically weak one-way functions exist if and only if 
generically strong one-way functions exist. 

Proof. The proof is a corollary of the equivalence Lemmas 12.31 12.41 12.101 12.121 and the 
classical amplification theorem. 



□ 



3 Conclusion 

The definition based on generic case complexity methodology has significant advantage in 
the fact that the probabilities over inputs and internal states of the algorithm are taken 
separately. The definition is very intuitive and easy to understand. In fact it may be seen 
as a direct formalization of the definition by Diffie and Hellman which we quote in the 
introduction. 

Operating with simpler probability spaces and considering inputs separately may have 
some practical implications. The work in this direction started very recently and the 
potential of generic approach has been little realized. It would be interesting to see if 
generic complexity can be used to simplify definitions of cryptographic primitives and 
reducibility arguments. Applications of generic case complexity analysis of the security of 
particular one-way function candidates is also could be of great interest. 
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A Proof of equivalence for the definitions of the Weak One- 
Way functions 

The following is the classical definition of a weak one-way function. 

Definition A.l (Weak One-Way function). A function / : {0,1}* {0,1}* is called 
weakly one-way if the following two conditions hold: 

1. Easy to compute: there exists a deterministic polynomial-time algorithm A' such 
that on an input x algorithm A' outputs f{x); 



2. Slightly hard to invert: There exists a polynomial p such that for every PPT A and 
all sufficiently large n: 



p{n) 

where Un is a random variable uniformly distributed over {0, 1}" and the probability 
is taken over all input strings from {0, 1}" and internal states of A. 

Proposition A. 2. Definitions lA.ll and 12.21 are equivalent. 

The following two lemmas give the proof. Denote 

6^j{x)=FT[A{f{x),nef-\f{x))] 

and 

6aj{x) = Fv[A{f{x),r) ^ r\f{x))]. 

Obviously 

^Ajix) = 1 - SA,f{x). 

Lemma A. 3 (Generic implies Classic). Suppose there exists a PPT algorithm A such that 
for some (equivalently all) c > 0, all polynomials p and infinitely many n 

Un {{x G /„ I < n'"}) < — ^— 

then there exists a PPT algorithm A' such that for all polynomials q{n) and infinitely many 
n 



^H.,a)[A{f{Un)X)^f-\f{Un))]< ^ 



(n)- 



Proof. 

Observe that 



Let 
Then 

However, 
and we obtain 



Un{{x I 5aj{x) >n "^D > 1 



p{n) 

Sn = {x\ 8_Aj{x) > n^"} 



Un{Sn) = > 1 



2" ~ p{n) 



— > SAfix)> -n ^ > n '^1 -— = , , > -— 

2n ^ / - 2n - y p(^n) J n^'pin) n^pin) 

From the proof of the equivalence for the case of strong one way functions we know 
that 

Pr(.,.)[^(/(f/n),l") G f'ifiUn))] > :^ E '^A, 



- „ ,{X . 

xeSn 



Therefore 

Pr(.,.)[-4(/(f/„),l") G f-\f{Un))] > 

Again, from the proof of the strong version we know that by repeating the algorithm 
A polynomially many times we can obtain an algorithm ^ such that 

Pr(.,.)[^'(/(C^«), 1") G r\fiJJn))\ > 1 - 6 
where e < \jq{n) for any positive polynomial q{n). Then 

Pr(.,.)M'(/(?7n), 1") ^ /-'(/(f/n))] < 1 - (1 - 6) = 6 < ^ 

for all polynomials q{n). 

□ 

Lemma A. 4 (Classic implies Generic). Suppose there exists a PPT algorithm A such that 
for all polynomials p and infinitely many n 

pr(,,,)[^(/(c/„),n0rH/(t/„))]< ^ 



p{n) 



then there exists a PPT algorithm A' such that for some (equivalently all) c > 0, all 
polynomials p{n) and infinitely many n 



Un {{x € In I 5a'j{x) < n "}) < 



p{n) 
Proof. Let 

Sn = {x\ 6j,j{x) > n^''} 

Observe that 

n^-F^.,.)[AifiUn),in^rHfiUn))] < ^ 

for all positive polynomials p{n). 

Proof. Suppose that it is not. Then there exists a polynomial p'{n) such that 

n<FT^,^,)[A{f{Un),in <^ rHfiUn))] > ^ 

and 

pi>,.)W(c/„),i") ^ri(/(t/„))] > 

which contradicts the condition of the lemma. 

Now using the same argument as in the previous proofs we can show that 

pr(.,.)[^(/(c/n), 1") f~\fm)] = ^ E ^■4>/(^) ^ ^ E 



Therefore, for every p{n) 
1 



p{n) 



> ■Pv(^,,.)[A{f{Un),n ^ r\f{Un))] 



xGS„ 



x£S„ 



-d 



\Sn I 



n • ■ n ^ 

2n 



Note that 



Sn = {x\l- 6A,f{x) < 1 - n-'^}} = {x I 5aj{x) < 1 - n"'^}}. 

Using amphfication we can construct a PPT algorithm which repeats A polynomi- 
ahy many times and such that 

-S*™ = |x I 5a'j{x) < ^ 
Therefore, there exists a PPT algorithm A' such that for every polynomial p{n) 

^n({x|5^,,(x)<l})<^. 

□ 



